RE: Top Ten Web App Sec Problems

• Insecure Storage of Keys and Passwords
• Insecure Backside Protocols
• Insecure Use of Encryption

The above three items you listed I've seen too many times.

These types of issues are bad for security among internal people as well as hackers. I've talked to companies specializing in "plug and play" web portals for
use as corporate portals and they don't seem to care about security as a priority.
Developers don't realize that there has been methods for clients to see the code that
goes into an ASP script, and that the backend database access is not as hidden as they thought.
In addition, it's been tough preaching differences between development and production systems
in using different databases and accounts. Backend systems to web front ends may do things
such as process (refill) prescription drugs, manage an employee's payroll (W4 changes, Savings Plans, etc),
read corporate email, order merchandise (credit card usage), etc. Accounts used for such systems don't always get managed by a proper security organization, but are controlled by developers who believe the world is a safe place.

Encryption. There are big name software providers for E-Commerce who don't manage encryption of credit card numbers in their database.

> -----Original Message-----
> From: Jeff Williams @ Aspect
> [mailto:jeff.williams@aspectsecurity.com]
> Sent: Monday, December 02, 2002 9:16 PM
Received on Tue Dec 3 10:18:54 2002